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February 26 , 1998 


Comments on the Laboratory Information Management System Request for Proposals 
General Comments: 

The introduction to the RFP states that the R&D Department of PM intends to install LIMS in stages 
with measurable milestones for each stage. It goes on to state that the initial stage will consist of a 
relatively small project utilizing some labs that have been using an internally-coded LIMS and other labs 
that have never used a LIMS. Not clear, however, is that PM needs a single-vendor supplied system that 
is compatible with all implementations of LIMS in all PM departments and locations. 

However, we recognize PM may not be prepared, at this time, to provide detailed specifications for each 
implementation. We therefore recommend that PM require the vendor to supply a system that provides 
base-level common functionality (e.g., database design, instrumentation interfaces, system security, UI 
iook-and-feel) to all LIMS implementations. The specific requirements of the R&D Department initial 
implementations should then be described in detail. 

The vendor should then be required to validate fully the base system and, in this first specific case, the 
system as delivered to the R&D Department’s initial-implementation laboratories. 

Once the base system and initial-implementation systems are validated and accepted, we recommend 
that PM then conduct a phased rollout of the base system as tuned for the requirements of other 
implementations. This way, only one validation need be performed on the base system. Validation of 
tuned systems can then concentrate only on the specific requirements of that PM component. 

Requirements for Validation: 

The RFP mentions validation, electronic signature support, GLP and GALP compliance, and ISO 9000. 
The vendors need to be advised the system is required to meet the validation requirements of FDA. We 
recommend that PM require the vendor to provide objective evidence that they properly validated the 
system. This way, PM will need only to validate the installation and not the delivered code. Examples 
of the type of documents required from the vendor are as follows: 

1. Functional Specifications and Updates 

2. Development Methodology 

3. Software Development Life Cycle 
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4. Validation Plan 

5. System Design Specification and Updates 

6. Installation Qualification Protocol 

7. Operational Qualification Protocol 

8. Performance Qualification Protocol 

9. Unit and Integration Test Procedures 

10. Unit and Integration Test Reports 

11. Traceability Matrix 

12. Training Materials 

13. Source Code 

14. Executable Code 

15. Code Review Documentation 


The vendor should be advised that as part of the FDA validation requirements, vendor qualifications will 
be reviewed and audited. This review involves determination of vendor qualifications, review of the 
vendor’s quality assurance systems, vendor audits by PM, establishment of a Vendor Quality 
Management Plan, and in-process reviews and audits. 


Additionally, the PM project team for this project should also thoroughly understand FDA validation 
requirements. The project team will be responsible for ensuring adherence to the “interim” PM IS 
validation procedures. 


Specific Comments: 

On page 25 of the RFP, a statement denotes that electronic signatures may be required. If PM wants to 
use electronic signature and records, the system must meet the requirements of Part 11, Title 21 of the 
Code of Federal Regulations (21 CFR 11) for electronic signatures and records. 

Philip Morris is asking for much more than an off-the-shelf system with minor modifications. A 
complete evaluation of the RFP, in our view, will require quite a bit of communication between each of 
the three proposed vendors and Philip Morris. This will be made all the more complex because of the 
injunction, on p. 96, that “No pre-bid site inspection will be permitted.” If at all possible, we 
recommend that this injunction be lifted. This should be accomplished by a single vendor meeting 
where PM technical leads would answer questions, as needed, to clarify technical requirements of the 
RFP. The meeting would also include a PM-conducted tour of laboratory and manufacturing facilities. 


The successful initial implementation must be completed by September 1,1998. In our experience, the 
development of such a complex system will take much longer than the three months proposed in the 
RFP (June 1 commencement and September 1 completion.) There will be need for several user- 
developer design conferences, testing, validation and final acceptance, before the initial implementation 
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can be considered complete. 

On page 13, the RFP states that future plans for desktop development include purchase or lease of 
systems running Windows 95/98 or Windows NT 4.0/5.0 Workstation. Windows 95 is really not 
suitable in a highly secure environment where data integrity is the key. Any user can simply bypass all 
security by hitting the escape key during network logon. While unable to access server-based files, the 
unauthorized user would be able to access any folder or file on the client machine, including data 
downloaded from analytical instruments before they are uploaded to the server. We therefore 
recommend that PM standardize on Windows NT Workstation as its client computer platform and that 
all client software be compatible with the NT platform. 

Database Formats, p. 14 - Because Sybase and Microsoft’s SQL Server are based on the same design 
concept, we recommend changing the wording here so that although Sybase is the current database 
format, Microsoft SQL Server would also be acceptable. Conversion from Sybase to SQL Server is not 
all that complex. SQL Server has the additional advantage of tight integration with the NT Security 
Subsystem that may be part of the vendors’ proposals. 

Page 23 - Year 2000 Compliance. This is in conflict with Figure 30, p. 122. We recommend changing 
the wording of the PTL Request Coding Format to state that although the two-character year designation 
is currently used, the new fifteen character preferred format include four (or three)- digit year 
designations. However, if Y2K compliance was not considered in the request for a fifteen-character 
code, the requested length should be increased to accommodate such compliance. 

Password Administration, p. 25. We recommend that in addition to a password expiration date and 
account unlocking, the vendor should be required also to describe how the administrator will support 
password uniqueness, minimum password length, and, if desired, requiring alphanumeric passwords. 

Page 64. We recommend defining the term “sample plan” as used in the context of subsection a. 

Page 83. The next-to-last paragraph asks for a system to send e-mail from Semiworks to the customer 
when samples are ready for pick up. Yet, from the preceding discussions, it appears the “customer” is 
Semiworks. Should this read, “We want to send email from Semiworks to the laboratory when samples 
are ready for pick up?” 
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